Cisco has provided additional information and safeguards for the Cisco CSS Content Services Switch and ACE Application Control Engine HTTP SSL header spoofing vulnerability.
Cisco CSS Content Services Switch (CSS), SSL Services Module (SSLM), and ACE Application Control Engine (ACE) contain a vulnerability that could allow an authenticated, remote attacker to insert spoofed SSL headers into HTTP requests.
The vulnerability exists because the affected products weakly enforce authority in HTTP certificate headers when performing SSL session termination. An authenticated, remote attacker could exploit this vulnerability by inserting spoofed SSL certificate headers into requests that are passed to the affected products for SSL termination. If successful, an attacker might be able to perform man-in-the-middle attacks, gaining access to sensitive information.
Cisco has confirmed this vulnerability in software release notes and released updated software.
This vulnerability affects Cisco CSS devices, SSLM, and ACE modules. SSL header insertion first appeared in version A2(3.0) for the ACE module; ACE appliances do not perform header insertion and are not affected.
CSS devices running version 8.10.6.03S or later, or 8.20.4.03S or later can be configured to first remove HTTP headers in requests before appending the CSS's own headers. The default configuration in these versions is not to remove these headers, but if configured with ssl pre-remove-http-hdr they are not affected.
This vulnerability could affect any CSS or SSLM installation, but could have a greater impact on installations configured to perform client certificate validation through the following configuration statement on the CSS: ssl-server < CONTEXT >http-header client-certand the following ssl-proxy policy http-header configuration statement on the SSLM: client-cert.
Ultimately, the impact of this vulnerability will depend on the applications behind an affected CSS device and how those devices handle the presence of multiple SSL headers throughout HTTP requests. If the applications process the last headers that appear in the request, they will receive those added by the CSS, but any other handling of SSL headers could result in the processing of the wrong headers.
The CSS behavior is documented in Cisco bug ID CSCsz04690
Cisco thanks Virtual Security Research, LLC, George D. Gal researcher for reporting this issue.
An authenticated, remote attacker could exploit this vulnerability to insert spoofed SSL certificates into HTTP requests. The spoofed certificates could allow the attacker to perform man-in-the-middle attacks and gain access to sensitive information.
When using the CSS to terminate SSL communications, SSL client certificates are first authenticated by the CSS. From there, the CSS will normally pass the client's identity to the back-end web server in the form of several HTTP headers. Because the CSS inserts SSL certificate information headers at the end of the request header, there is a possibility that an attacker could insert spoofed headers earlier in the header. Some servers may then process the first instance of the header and use the spoofed header instead of the header inserted by the CSS.
On the CSS, the ssl-server < CONTEXT >http-header prefix < RANDOM_PREFIX > command will further secure the headers from the spoofing exposure by allowing a server administrator to define a random header prefix that will be prepended to new client certificates.
On the SSLM, the following ssl-proxy policy http-header configuration statement will insert a configured prefix that will be prepended to the SSLM-inserted headers: prefix < prefix >. Also on the SSLM, the header names may be changed via the following ssl-proxy policy http-header configuration statement: alias < alias string > < header name >.
In addition, with CSS releases 8.20.4.03S and 8.10.6.03S, the following new command has been implemented: ssl pre-remove-http-hdr. This command will remove existing headers prior to inserting a new header. For example, if the software is configured for client certificate information, this command would cause existing client certificate headers to be removed and then the new headers would be inserted. Note that this functionality does not work with prefixes. The default behavior will continue to ignore headers before insertion. The no ssl pre-remove-http-hdr command reverts to default behavior. This command may impact CSS performance based on the number of headers present.
SSL header insertion was first implemented in the ACE module with version A2(3.0). SSL header insertion functionality does not exist in the ACE appliance.
Cisco customers can obtain upgrades by contacting the Cisco Technical Assistance Center at 1-800-553-2447 or 1-408-526-7209 or via e-mail at email@example.com.
Version 2, July 14, 2010, 12:51 PM: Cisco has confirmed that the SSL Services Module is also affected by this vulnerability. CVSS scoring details have been updated to correctly reflect the vulnerability details.
Version 1, July 2, 2010, 10:15 AM: Cisco Content Services Switch and Application Control Engine contain a vulnerability that could allow an unauthenticated, remote attacker to insert spoofed SSL headers into HTTP requests. Updates are available.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.